1 Marc J. Zwillinger Elizabeth Banker Zwillinger Genetski LLP April 7, 2011.
-
Upload
irma-louisa-berry -
Category
Documents
-
view
220 -
download
0
Transcript of 1 Marc J. Zwillinger Elizabeth Banker Zwillinger Genetski LLP April 7, 2011.
1
Marc J. ZwillingerElizabeth Banker
Zwillinger Genetski LLPApril 7, 2011
2
Understanding Universities obligations related to Law Enforcement and Civil Demands
Developments in privacy related litigation Lawful Access issues on the horizon for
Universities Other issues for Universities related to
security and privacy
3
Federal, state and local law enforcement issued subpoenas, court orders and warrants
National Security Requests issued under National Security Letter authority, FISA or the FAA
Civil subpoenas issued under DMCA subpoena provision
Civil subpoenas issued in private litigation Requests without legal process:
◦ Deceased students◦ Complaints
4
Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g; 34 CFR Part 99.
Prohibits disclosure of certain student records without student or parental consent.
Universities may disclose educational records in response to a subpoena or court order with prior notice to the student or parents.
No notice is necessary if: Grand jury subpoena with court order to not provide notice Court order and told not to provide notice AG terrorism court order (ex parte)
Emergencies
5
ECPA has two primary parts:◦ The Wiretap Act (also know as Title III) governs
real-time access to the contents of electronic communications Codified at 18 U.S.C. § 2510 et seq.
◦ The Stored Communications Act (“SCA”) is the portion of ECPA that specifically governs stored records and communications Codified at 18 U.S.C. § 2701et seq.
◦ Other parts of ECPA: Pen Register Trap and Trace Statute, 18 U.S.C. § 3121
6
Governs real-time intercept of electronic and wire communications
Federal law prohibits intercept of communications unless an exception applies:◦ Consent (one party)◦ Title III Wiretap Order issued by law enforcement◦ Protection of Rights and Property of Providers
State wiretaps laws are similar, except:◦ Twelve states require two-party/all-party consent for
a valid exception to the prohibition on intercept
7
Special Issues for Universities◦ Students or School officials recording classes◦ Email scanning for prohibited content/conduct◦ Archiving chat, IM, or other conversations
conducted through interactive webpages How to deal with two-party/all-party consent
requirements?◦ Implied consent◦ Affirmative consent
8
Covered entities defined in SCA are “Electronic Communications Services” (ECS) and “Remote Computing Services” (RCS)◦ ECS defined as “any service which provides to users thereof
the ability to send or receive wire or electronic communications”
◦ RCS defined as “the provision to the public of computer storage or processing services by means of an electronic communications system” What does “to the public” mean? What public services do you offer – just broadband access, or
more? Restrictions on voluntary disclosure of information (for
ECS and RCS) turn on whether University offers services “to the public”
Restrictions on compelled disclosures do not.
9
Statutory Definition Plain Language 1) “contents of a communication while in
electronic storage”
2) “contents of a communication which is carried or maintained on that service on behalf of, and received by means of electronic transmission from a subscriber or customer of the service”
3) “a record or other information pertaining to a subscriber to or customer of such service not including contents under A or B”
4) “name, address, telephone records, session times and duration, length of service, start date, types of service utilized, telephone number or other subscriber # or identity, network address, means and source of payment”
1) contents of messages or emails
2) contents in stored files
3) any non-identity, non-content record kept about a subscriber
4) basic identity information about the subscriber
10
Can be obtained through trial, grand jury or administrative subpoena under § 2703(c)(2)
name & address local and long distance billing records telephone number or other account identifier (such
as username or “screen name”) length & type of service provided Session times and duration Temporarily assigned network address (IP Address) Means and source of payment (cc# or bank acct)
Limited to specifically listed records
11
Scope: ◦ Not content, not basic subscriber
§ 2703(c)(1)(B)◦ Everything in between
identities of connections or email correspondence Subscriber info not specified in 2703 (c)(1)(c) (e.g., DOB,
gender, DL #, etc) Connection information
Obtainable with § 2703(d) court order◦ Issued based on showing of “specific and articulable
facts” of relevance to “criminal investigation”◦ Intermediate standard between subpoena (relevance)
and search warrant (probable cause) Delayed Notice available under § 2705
12
“Electronic storage” defined as1) temporary, intermediate storage incidental to
transmission (§2510(17)(A)); and2) storage of such communication by an electronic
communication service for purposes of backup protection of such communication
Beginning: DOJ view that a warrant was only required for unopened, received email in user’s inbox for 180 days or less. A court order or subpoena used for sent, read, or emails over 180 days old
After Theofel v. Farey-Jones (9th Cir.): Read and saved email was considered a “back up” and required a search warrant if 180 days or less old
13
Sixth Circuit Court of Appeals held in U.S. v. Warshak that the Fourth Amendment protects email content from disclosure to law enforcement absent a search warrant
Court found that individuals have a “reasonable expectation of privacy” in their email content◦ Court left open possibility that provider or employer
terms could eliminate the R.E.P. Decisions about how to implement
◦ Restrict to district◦ Implement nationwide
14
Public provider prohibited from voluntarily disclosing any subscriber records (§ 2702)
Exceptions◦ Consent of originator or addressee/intended recipient◦ To an addressee or intended recipient ◦ to law enforcement if contents inadvertently obtained
& pertain to commission of a crime◦ to person employed or authorized or whose facilities
are used to forward such communication◦ As necessary to protect provider rights and property◦ To NCMEC in child pornography report◦ To government if provider in good faith believes an
emergency exists threatening death or serious physical injury
15
Public provider prohibited from voluntarily disclosing any contents of communications (§ 2702)
Exceptions◦ Consent of originator or addressee/intended recipient◦ To an addressee or intended recipient ◦ To person employed or authorized or whose facilities
are used to forward such communication◦ As necessary to protect rights and property
No prohibition on disclosing records to civil litigant (§ 2702 (c)(6))◦ Subpoena is generally sufficient
16
FERPA allows disclosure of educational records when legal process is issued.◦ If not prohibited by law, notice must be given to the student or parents◦ When is notice forbidden? A court order prohibits notice (e.g., an order
for delayed notice under Section 2705) or statute under which the legal process was issued prohibits notice (e.g. NSLs).
◦ When in doubt? Advise law enforcement of plan to provide notice FERPA allows disclosure of information in response to a civil subpoena with
notice, but ECPA prohibits disclosure of email content to private litigants◦ Disclosure could be allowed if account holder consents
FERPA & ECPA both allow disclosure of records and email content when there is an emergency that puts the physical safety of a person at risk◦ ECPA only allows emergency disclosures to law enforcement. ◦ Be sure to document the nature of the emergency, how the requested
information will help LE and the requesting individual and agency.◦ Also helpful: Emergency disclosure form, Emergency disclosure policy
17
Deceased Users and stored content Freedom of Information Act requests Complaints and requests to identify users
without legal process Internal, on-campus investigations State schools and status as a
“governmental entity” National security process and non-
disclosure requirements
18
ECPA LitigationECPA ReformCALEA UpdatesData Retention Mandates
19
Plaintiffs lawyers are now suing for improper disclosure of records based on claims that the legal process used was illegitmate
Entities sued: Yahoo!, Myspace, Windstream, Comcast
Theory – recipient must insist on proper service of process to make legal process valid – i.e, no out-of-state faxes.
Prediction – not going to be successful, but may not be worth the risk
20
Initially proposed by the Digital Due Process Coalition (DDP), which includes: CDT, Amazon, Google, Facebook, AOL, Microsoft, AT&T SalesForce, Loopt, and others
Need for ECPA reform:◦ Definitions are archaic and hard to apply to Web 2.0◦ Different law enforcement agencies use it and have
different interpretations◦ Different jurisdictions have different interpretations◦ Volume makes it impossible to operate with anything
less than bright lines rules◦ Litigation develops over areas of friction◦ Many, many issues do not seem to be answered by
ECPA
21
1. Technology and platform neutrality
2. All content should be protected under the 4th Amendment standard – regardless of how old it is or whether it has been “opened” or not
3. Data should receive same protection whether it is in transit or in storage
4. Recognize sensitivity of data that deserves 4th Amendment protection
22
1. All content should be protected under the 4th Amendment standard and probable cause should be required – regardless of how old it is or whether it has been “opened” or not
2. Location data, whether historical or prospective should be produced only pursuant to a Warrant
3. The standard for pen registers/trap and trace devices should be heightened
4. Information requests made pursuant to a subpoena should be particularized to an individual or group of individuals, otherwise a 2703(d) Order or greater should be required
23
At least 4 hearings held in 2010 before House Judiciary Committee and at least one in the Senate.
Hill meetings and DOJ meetings have been occurring with increased frequency
DOJ has proposal for reform of NSL provisions (18 USC 2709) which may get linked to these efforts◦ Proposal would clear up uncertainty regarding
ability of FBI to get access to electronic communication transactional records
24
Communications Assistance to Law Enforcement Act (“CALEA”) originally passed in 1994
Mandates that covered providers build capability to intercept communications if presented with a wiretap order◦ Currently covers telecommunications and
broadband FBI “Going Dark” Initiative seeks to expand
coverage Potential Model- Section 12 of UK’s RIPA
25
Lamar Smith (R), House Judiciary Chairman, has had several bills in past and currently working on a new bill
Hearing held in January 2011 Potential scope of data retention obligation:
◦ 6 months to 2 years of retention◦ IP address assignment logs, IP log-in records,
communications transactional records, upload IP information
EU Data Retention Directive implementation◦ Problematic and still controversial in EU, but
provides potential model
26
Child pornography reporting requirements applicable to ECS and RCS under 18 U.S.C. §2258A.
Content complaints and Section 230 Security Breach notice requirements Required security to protect sensitive
personal information◦ E.g. Social Security Numbers